I need to deploy Forticlient to about 150 devices . We are moving from ASA AnyConnect on short notice due to hardware related issues . We have access to Datto RMM which we could use to deploy a forticlient package but would need instructions as we are new to Datto as well .
We may consider EMS down the road but would be happy if I could avoid it as there would be one less thing to deal and patch .
If we eventually go the EMS route, Would we be able to install the EMS package over this install or do we have to deal with a uninstall nightmare 
. Any version of Forticlient would work ? We will use Azure accounts to authenticate with mfa . Thank you
Set up the VPN client as you desire. Export the config to XML. Use an endpoint deployment / software deployment for your endpoints and install the FortiClient using the .msi and xml file with he command switches.
I’ll send the command switches in a bit. Right now I’m engaged in a heated UNO game. Fists are about to swing…
This is how I did it.
- Deployed FortiClient .msi using MDM(Intune in our case).
- Deploy profiles by adding new registry keys.
Profiles are stored here:
HKLM:\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\ProfileName"
I’m going to be contrary. Having tried the tricks and tips with the free vpn client over the years, I’m starting to move clients to FortiClient EMS Cloud and ZTNA.
Get a free trial and check it out
I know the SSL client is an easy-button setup mostly, but I will point out that FortiGates are also compatible with the Windows 10/11 built-in VPN. You can also do the Windows always-on device VPN if you have the Windows Enterprise license. SSL VPNs (regardless of the maker) have a bad track record security-wise, and Fortinet is no exception. Every time I go looking at FortiClient and FortiGate updates there are SSL CVEs being patched.
This is how we did it. We use lansweeper to deploy the package and then it runs a script after the install to import the config. Works well when you have to push out vpn client updates as well for patching purposes.
This is how weve done it to switch to SAML auth
This or directly edit the MSI . Voids the signing of course, but with a deployment tool this doesn’t matter
How do I export the setting to xml ? I should be able to deploy the msi but not sure how to deploy the xml file alongside the msi install. I would appreciate the instructions alongside the command switches .
Any chance you can share those command switches to deploy the xml with the msi?
Any chance I can get those command switches too?
Yeah, we did this at a moments notice when covid hit - we were on the native windows vpn and stuck everyone on the free version of forticlient, then dumped the vpn config’s to their pc’s through the sccm deployment. We did this in a few days and it pretty much went off without a hitch. Surprised us lol.
Can you send me this set up!?
I am about to deploy forticleint as well!
So, you are suggesting that I export the registry and somehow deploy to all users ? How is this different from the XML profile deployment suggested above ?
How we do it as well. Also use it to enable DTLS.
How do you edit the msi and what deployment tool you use ?
Let me explain.
We used Intune to deploy both using poweshell scripts to install and add registry keys.
Why we separated this? Makes deploying new or editing existing profiles possible without reinstalling FortiClient.
Orca is the basic tool, but IMHO a PITA to use.
I used https://www.advancedinstaller.com/msi-editor.html in the past and it was super easy to use.
You really dont need a deployment tool for this. GPOs are enough.
We use SCCM, but that is probably a bit overkill for your size.
Easydeploy or PDQ Deploy are the usual go-to’s for SMBs
. Any version of Forticlient would work ? We will use Azure accounts to authenticate with mfa . Thank you